Scribd Logo
Upload

Welcome to Scribd!

  • 186 views

    Soc Concepts

    Uploaded by

    Gilgamesh berserker
    A security operations center monitors networks for cyber attacks and security issues. It has people, processes, and technologies like SIEM to detect threats and ensure security. Lower level analysts detect issues and higher levels investigate further to resolve problems.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Soc Concepts

    Uploaded by

    Gilgamesh berserker
    186 views9 pages
    A security operations center monitors networks for cyber attacks and security issues. It has people, processes, and technologies like SIEM to detect threats and ensure security. Lower level analysts detect issues and higher levels investigate further to resolve problems.

    Original Title

    soc concepts

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    A security operations center monitors networks for cyber attacks and security issues. It has people, processes, and technologies like SIEM to detect threats and ensure security. Lower level analysts detect issues and higher levels investigate further to resolve problems.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    186 views9 pages

    Soc Concepts

    Uploaded by

    Gilgamesh berserker
    A security operations center monitors networks for cyber attacks and security issues. It has people, processes, and technologies like SIEM to detect threats and ensure security. Lower level analysts detect issues and higher levels investigate further to resolve problems.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 9

    What is SOC?

    A security operations center is a command center facility for a team of infosec


    professionals who monitors, analyzes, and protects an organization from cyber
    attacks.

    What are the main components of SOC?


    People
    - SOC manager

    - SOC analyst

    - SOC engineer

    - SOC operator
    Process
    - Incident triage process: categorizing the incidents and set the risk level

    - Vulnerability discovery process: finding out and discovering


    vulnerabilities.

    - Vulnerability remediation and tracking: describes how to remediate and


    track them.

    - Incident closure process: testing and verifying that the vulnerability has
    been successfully fixed

    - Incident analysis process: the way of detecting the root cause of


    incident.

    - Incident reporting process


    - Post incident activities process: sort of lessons learned process where
    you try to gather as much information as to teach the rest of the team
    about this new case)
    Technology
    - SIEM

    - EDR/XDR

    - IPS/IDS

    - Cyber threat intelligence feeds and databases

    - Vulnerability scanners

    What are the responsibilities of level 1 and 2 SOC analysts?


    SOC level 1 (tier 1) analysts monitor security tools, such as endpoint detection and
    response (EDR) and security information and event management (SIEM) tools, to
    identify potential anomalous activity on networks and systems. If anomalous
    activity is detected, they then escalate it to level 2 analysts.
    SOC level 2 (tier 2) analysts investigate anomalous behavior, perform triaging of
    alerts using playbooks. also tune the collection tools to help reduce false positives
    and use the MITRE ATT&CK framework (https://attack.mitre.org/) to identify
    security gaps in the organization's defensive posture. At this level, L2 analyst will
    be able to write YARA rules to detect and stop future attacks.

    SOC models
    - An in-house model, where all the resources, technology, processes, and
    SOC employee training are managed within the organization.

    - A managed security service provider (MSSP), where a third-party


    security service provider manages all of the resources, technology,
    processes, and training of SOC staff.

    - A hybrid SOC model, where level 1 is outsourced to an MSSP and then


    the organization has level 2 and above in-house. Many large companies
    use this model.

    What is a playbook/runbook in SOC?


    Also known as a standard operating procedure (SOP), which is consists of a set of
    guidelines to handle security incidents and alerts in the SOC.
    For example, if credentials were compromised, the playbook would help the level
    1 SOC analyst know what actions they should take.

    What is information security (infosec) and how is it achieved?


    Information security just means protecting the confidentiality, integrity, and
    availability of information. It is achieved through risk management, where you
    identify the valuable information, identify any assets related to that information,
    identify vulnerabilities, identify threats to the CIA of the information, and identify
    the impact to the information and the organization if an incident occurs.
    What is a SIEM?

    1- Security information and event management (SIEM), one of the critical part
    of a SOC, it’s a security solution that provides the real time logging of events
    in your environment, and filter the data that it collects and creates alerts for
    any suspicious events.

    So, organizations use SIEM to get complete visibility and control over what
    is happening on their network in real-time.

    2- SIEM = SEM + SIM

    SEM (security event management) carries out analysis of the event and logs
    data in real-time to provide event correlation, threat monitoring, and
    incident response.

    SIM (security information management) retrieves and analyses log data and
    generate a report.

    3- How Does SIEM work?

    SIEM collects log and event data that is generated by host systems, security
    devices, and applications throughout an organization’s network
    infrastructure and collating it on a centralized platform. (Data collector =
    event collector + flow collector)

    Then, identifies this data and sorts it into categories, such as malware
    activity, failed and successful logins, and other potentially malicious activity.
    (Data processing = event processor + flow processor)

    When software identifies activity that could signify a threat, alerts are
    generated to indicate a potential security issue. These alerts can be set
    either low or high priority using pre-defined rules.
    4- So, SIEM solutions provide a powerful method of threat detection, real-time
    reporting, and monitoring, long term analytics of security logs and events

    5- The main difference between SIEM and IDS systems is that SIEM tools
    facilitate event correlation to identify patterns that might indicate an attack
    has occurred while IDS doesn’t.

    What is SOAR?
    - an abbreviation of Security orchestration, automation, responses.,
    Which is a tool that allows the company to integrate multiple resources
    into a single location.

    - Orchestration: connect data from different tools into a single central


    location to gain better oversight over threat alerts and improve
    responses.

    - Automation: get rid of repetitive manual process

    What Is Indicator Of Compromise (IOCs)?


    Indicators of compromise (IOCs) it’s the evidence of potential intrusions on a host
    system or network. Which is helped InfoSec professionals to detect intrusion
    attempts or other malicious activities.
    What is MITRE ATT&CK?
    MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics (14)
    and techniques (185) and sub-techniques (367) based on real-world observations.
    What is Cyber Kill Chain?
    A part of the Intelligence Driven Defense® model for identification and prevention
    of cyber intrusions activity. The model identifies -in seven steps- what the
    adversaries must complete in order to achieve their objective.
    The seven steps are:
    1. Reconnaissance: The intruder selects a target, researches it, and attempts to
    identify vulnerabilities in the target network.
    2. Weaponization: Intruder creates remote access malware weapon, such as a
    virus or worm, tailored to one or more vulnerabilities.
    3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments,
    websites, or USB drives)
    4. Exploitation: Malware weapon’s program code triggers, which takes action on
    target network to exploit the vulnerability.
    5. Installation: Malware weapon installs access point (e.g., “backdoor”) usable by
    an intruder.
    6. Command and Control: Malware enables intruders to have “hands on the
    keyboard” persistent access to the target network.
    7. Actions on Objective: Intruder takes action to achieve their goals, such as data
    exfiltration, data destruction, or encryption for ransom.
    What should you do against these steps?
    1. Detect: determine whether an attacker is poking around
    2. Deny: prevent information disclosure and unauthorized access
    3. Disrupt: stop or change outbound traffic (to the attacker)
    4. Degrade: counter-attack command and control
    5. Deceive: interfere with command and control
    6. Contain: network segmentation changes
    What is OWASP Top Ten.
    The OWASP Top 10 is a standard awareness document for developers and web
    application security. It represents a broad consensus about the most critical
    security risks to web applications.
    What is the OSI model?
    Open System Interconnection which is a reference model for how applications
    communicate over a network.
    There are 7 layers in OSI model:
    •Application layer-> Data -> network process and apps -> SMTP, telnet, HTTP, FTP,
    etc.
    •Presentation Layer-> Data -> Data formatting and encryption -> JPG, HTTPS, SSL
    •Session layer-> Data -> establishes/ends connections between two hosts ->
    NetBIOS, PPTP
    •Transport layer-> Segments -> end-to-end connections and reliability ->TCP, UDP
    •Network layer-> Packets -> Path determination and IP (logical addressing) ->
    routers and layer3 switches
    •Data link layer-> Frames -> Physical addressing – > switches
    •Physical layer -> Bits -> Send data on to the physical wire -> Hubs, NICS, cables

    What are encoding, hashing, encryption?


    Encoding: Converts the data in the desired format required for exchange between
    different systems.
    Hashing: Maintains the integrity of a message or data. Any change did any day
    could be noticed.
    Encryption: Ensures that the data is secure and one needs a digital verification
    code or image in order to open it or access it

    What is the difference between encryption and hashing?


    Point 1: Encryption is reversible whereas hashing is irreversible. Hashing can be
    cracked using rainbow tables and collision attacks but is not reversible.
    Point 2: Encryption ensures confidentiality whereas hashing ensures Integrity.

    You might also like